Miggo Logo

CVE-2019-14806: Pallets Werkzeug Insufficient Entropy

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.4514%
Published
8/21/2019
Updated
11/19/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
werkzeugpip< 0.15.30.15.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how machine identifiers were generated in Docker environments. The pre-patch version of _generate() in get_machine_id() used system files that are identical across containers, creating insufficient entropy for debugger PIN generation. The commit 00bc43b specifically modified this function to check /proc/self/cgroup for Docker container IDs first, demonstrating this was the vulnerable code path. The CHANGES.rst update confirms the debugger pin uniqueness was addressed specifically for Docker containers in this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*ll*ts W*rkz*u* ***or* *.**.*, w**n us** wit* *o*k*r, **s insu**i*i*nt ***u***r PIN r*n*omn*ss ****us* *o*k*r *ont*in*rs s**r* t** s*m* m***in* i*.

Reasoning

T** vuln*r**ility st*ms *rom *ow m***in* i**nti*i*rs w*r* **n*r*t** in *o*k*r *nvironm*nts. T** pr*-p*t** v*rsion o* _**n*r*t*() in **t_m***in*_i*() us** syst*m *il*s t**t *r* i**nti**l **ross *ont*in*rs, *r**tin* insu**i*i*nt *ntropy *or ***u***r PI